in the belly of the breach: what every in-house counsel needs to know about data breach response acc...

In the Belly of the Breach: What Every In-House Counsel Needs to Know about Data Breach Response

ACC International Legal Affairs CommitteeLegal Quick Hit: May 8, 2014

Presented by:Colin ZickFoley Hoag LLP

Gant RedmonGeneral CounselCo3 Systems, Inc.

“In the Belly of the Breach” | 2© 2014 Foley Hoag LLP. All Rights Reserved.

• Common Breach Scenarios

• Anatomy of a Common Type of Data Breach

• Legal Frameworks for Breach Response

• Preparing for and Responding to the Breach

• Incident Response and Investigation

• Breach Notification and Resolution

• Preparing for Related Litigation and Government Investigations

• Breach Insurance

• Getting Ahead of the Game: Industry Collaboration

Key Issues We Will Address

2


• Accidental Breaches

• Faithless Employee/Ex-Employee

• Hackers & Thieves / Organized Crime

• Competitive Espionage

Common Data Breach Scenarios

3


Anatomy of a Common Type of Data Breach

4


Customer Privacy Laws Federal and state identity theft laws and regulations

- Requiring customer notice- Requiring information security programs

HIPAA / Medical information regulation Gramm Leach Bliley / Financial information regulation Regulations for specific industries (e.g., FCC CPNI Regulations) Laws governing specific information (e.g., Social Security number statutes) Negligence / Consumer protection laws Authorized Use Statutes Computer Fraud & Abuse Act (CFAA) Electronic Communications Privacy Act (ECPA) Stored Communications Act (SCA) Surveillance / Information Security Law Federal & State Wiretapping Statutes Invasion of Privacy Property Law Larceny / Conversion Trade Secrets Copyright / Digital Millennium Copyright Act (DMCA)

Legal Framework for Breach Response

5


• Compliance / developing information security programs

• Incident response and investigation

• Breach notification and resolution

• Anticipate government investigations and possible litigation, as well as consumer litigation

• Press/public relations strategy

Preparing for and Responding to a Breach

6


What is in-house counsel’s role in responding to a breach? Notice:

To federal/state agencies; To those impacted by the breach as both a matter of state law and risk management

MitigationThe role of notice and credit monitoring In post-breach public statements, what key points should be included to minimize

litigation risk?To what extent can a company be liable for lost data?How much can a typical breach cost a company both in time, brand equity and

internal distraction?What kind of insurance, if any, can a company use to offset costs? Does it really help cover the costs?The role of outside counsel

Incident Response and Investigation

7


Quantify the Risk (But I Really Don’t Want to Disclose)

8


Headline

Text

Develop an Incident Response Plan

9


Headline

Text

Track the Plan

10


• Still a developing area

• Limited history of evaluating risk, so premiums can vary widely

• Scope of coverage can vary widely

• Limits vary and can range from $25,000 to $25 million depending on the nature of the policy and business.

• What can be covered?– Crisis management services

– Notification of breached parties

– Credit/public records/fraud monitoring

– Fraud remediation services

Breach Insurance

11


Questions

12


Colin J. Zick, Esq.Foley Hoag LLP

[email protected](617) 832-1275

Gant Redmon, Esq.Vice President, Business Development, and General Counsel

Co3 Systems, [email protected]

(617) 300-8136

Contact Information

13

in the belly of the breach: what every in-house counsel needs to know about data breach response acc...

Documents

typical breach

breach incident response

postbreach public statements

specific information

litigation risk

lost data

role of notice

customer privacy laws